Rails 6.1.x Release Notes

6.1.7.33

No changes in Rails
Bumped Rack version requirement to version 2.2.20.11
Removed an unnecessary warning caused by the last change ("unknown or unsafe x-sendfile variation"). This change has no security implications.

CVE-2025-61919: Rack::Request#POST reads the entire request body into memory for Content-Type:application/x-www-form-urlencoded, calling rack.input.read(nil) without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion.
CVE-2025-61780: A possible information disclosure vulnerability existed in Rack::Sendfile when running behind a proxy that supports x-sendfile headers (such as Nginx). Specially crafted headers could cause Rack::Sendfile to miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level access restrictions.

CVE-2025-61770: Rack::Multipart::Parser buffers the entire multipart preamble (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions.
CVE-2025-61771: Rack::Multipart::Parser stores non-file form fields (parts without a filename) entirely in memory as Ruby String objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS).
CVE-2025-61772: Rack::Multipart::Parser can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (CRLFCRLF). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS).

CVE-2025-59830 (rack) Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters

CVE-2025-24293 (activestorage) allowed transformation methods that were potentially unsafe
CVE-2025-55193 (activestorage) logging vulnerable to ANSI escape injection

Fixed CVE-2025-49007: ReDoS Vulnerability in Rack Multipart Handling. Read the announcement

This is the initial release of the NES Rails 6.1.x series. It also includes the release of NES for Rack v2.2.13.10.

CVE-2025-27111 (rack) - Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection
CVE-2025-27610 (rack) - Local File Inclusion in Rack::Static
CVE-2025-25184 (rack) - Possible Log Injection in Rack::CommonLogger
CVE-2024-47889 (actionmailer) – Fixed a possible ReDoS vulnerability in block_format in Action Mailer.
CVE-2024-47887 (actionpack) – Fixed a possible ReDoS vulnerability in HTTP Token authentication in Action Controller.
CVE-2024-54133 (actionpack) – Fixed a possible Content Security Policy bypass in Action Dispatch.
CVE-2024-41128 (actionpack) – Fixed a possible ReDoS vulnerability in query parameter filtering in Action Dispatch.
CVE-2024-47888 (actiontext) – Fixed a possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text